Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure.

Slides:



Advertisements
Similar presentations
Working with the Windows Registry Computer Club of the Sandhills November 12, 2012.
Advertisements

Windows Under the Hood.
Your Friend and Mine The Windows Registry. What is the Registry? ► Think of as a giant 411 switchboard ► Simple idea of centralized one-stop shopping.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 3 Configuring the Windows Server 2008 Environment.
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Investigating.
Configuration Files CGS2564. DOS Config.sys Device drivers Memory configuration Autoexec.bat Run programs, DOS commands, etc. Environment settings File.
The Windows Registry Adapted from
Chapter 3: Configuring the Windows Vista Environment.
Registry Analysis What is it? What does it contain?
Registry Structure What is it? What does it contain?
1 JMH Associates © 2004, All rights reserved Chapter 2-3 Supplement Registry Programming.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 5: User Environment and Multiple Languages.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
Application Repackaging - Naushad Ali T Doddamani.
Operating System & Application Files BACS 371 Computer Forensics.
Working with the Windows XP Registry
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
OS and Application Files BACS 371 Computer Forensics.
Users and Groups Security Architecture Editing Security Policies The Registry File Security Auditing/Logging Network Issues (client firewall, IPSec, Active.
Mastering Windows Network Forensics and Investigation Chapter 9: Registry Evidence.
COMP1321 Digital Infrastructure Richard Henson February 2012.
Windows 95 requirements l 80386DX or higher machine l at least 4 MB of RAM (8 MB recommended) l mouse l VGA or better monitor l hard drive with at least.
Lecture 7 Forensic Analysis of Windows Systems (contd.)
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 15 Installing and Using Windows XP Professional.
Course ILT Monitoring and management Unit objectives Identify the stages of the Windows startup process Use Windows 2000 Professional and Windows XP utilities.
1 Microsoft Windows Internals, 4 ed Chapter 4. Management Mechanisms The Registry 謝承璋 2008 年 05 月 07 日.
SIR SONS IN RETIREMENT Computer User Group.
1 Chapter Overview Understanding the Boot Process Editing the Registry Using Startup and Recovery Tools Safe mode LastKnownGood configuration Advanced.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
Ch 11. Services A service is a specialized program that performs a function to support other programs Many services operate at a very low level – Interacting.
Section 7: Implementing Security Using Group Policy Exploring the Windows Security Architecture Securing User Accounts Exploring Security Policies Hardening.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
计算机系 信息处理实验室 Lecture 6 Management Mechanisms
Windows NT Chapter 13 Key Terms By Bill Ward NT Versions NT Workstation n A desktop PC that both accesses a network and works as a stand alone PC NT.
5. Windows System Artifacts Part 1. Topics Deleted data Hibernation Files Registry.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
Windows Registry Application Developer Issues SIG North Texas PC Users Group January 11, 2003 Daniel Ogden SIG Co-Leader
COMP1321 Digital Infrastructures Richard Henson November 2013.
Windows 7 Inside Out Chapter 21 - Performing Routine Maintenance Last modified
1 Chapter Overview How Windows 98 Works How Windows 2000 Works Managing Windows.
Windows Server 2008 Chapter 3 Last Update
Chapter 3 Configuring the Windows Server 2008 Environment
Windows Vista Inside Out Chapter 24 – Recovering From an Computer Crash Last modified am.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 23 – The Registry.
1 Windows 98 Ancillary Systems x The Process Scheduler provides system resources. The Windows Driver Model (WDM) allows Windows 98 and Microsoft Windows.
Windows management Unit objectives: Manage the operating system Configure Task Scheduler Manage resources on your computer Participate in a Remote Assistance.
Supporting Windows 9x Chapter 12 Key Terms By Bill Ward.
Cody, Brian, and Jerry. Contains configuration options for a boot menu. The file is hidden and read-only to protect it from user configuration. Microsoft’s.
Unit OS12: Scripting Lab Manual. 2 Copyright Notice © David A. Solomon and Mark Russinovich These materials are part of the Windows Operating.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
IT Essentials 1 Chapter 5 Windows 9x Operating Systems.
Managing Services and Registry Chapter 16 powered by dj.
I T Essentials I Chapter 5 JEOPARDY Installing & UpgradingComputerBasicsErrorsServicePotpourri
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
ACCESSDATA® FORENSICS Windows 7 Registry Introduction
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 7 Under the Windows Desktop McGraw-Hill.
Registry Forensics COEN 152 / 252. Registry: A Wealth of Information Information that can be recovered include:  System Configuration  Devices on the.
Chapter 8 Server Management: Directories & Software Directory Structure Creating A Directory Directory Properties Setup Wizard Registry Installing/Uninstalling.
A+ Guide to IT Technical Support, 9th Edition
Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.
Windows Forensic MD Saquib Nasir Khan (JONK) DEA- Data64
Under the Windows Desktop
Investigating Windows Systems
Registry 101 Registry 201 SAM artifacts
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
Windows Under the Hood Chapter 13.
Windows Registry: Introduction
Registry Root Hives.
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 8: The Registry Structure

June 3, 2015 © Wiley Inc All Rights Reserved 2 Chapter Topics: Registry History Registry Structure & Terms Registry Research Viewing Registry with Forensic Tools

Registry History Massive database of system and program configuration settings Legacy Windows (Windows 3.0) had config.sys, autoexe.bat, and several “ini” files Text files lacked hierarchical structure and couldn’t easily store binary data June 3, 2015

Registry History Windows 3.1 had first rudiments of registry Windows 95 / NT expanded it more along the lines of what we see today. Each subsequent release has resulted in increase in size and complexity of registry June 3, 2015

Registry Structure & Terminology At physical level, registry stored in hive files User rarely interfaces directly with registry Regedit is current interface tool (regedt32 legacy) – no known shortcut - Run > regedit June 3, 2015

Regedit Interface June 3, 2015 Key PaneValue Pane

Five Root Keys June 3, 2015

HKEY_CLASSES_ROOT Used to associate file types with programs that open them and also used to register classes for Component Object Model (COM) objects. It is the largest of the root keys in terms of the registry space it occupies. This key is derived from a linked merger of two keys, which are HKLM\Software\Classes and HKCU\Software\Classes. This merger effectively blends default settings with per user settings. June 3, 2015

HKEY_CURRENT_USER Used to configure the environment for the console user. It is a per-user setting (specific only to this user) and is a derived from a link to HKU\SID, where the SID is the user’s security identifier. June 3, 2015

HKEY_CURRENT_CONFIG Used to establish the current hardware configuration profile. This key is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current. Current is derived from a link to HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\####, where #### is a number that increments starting at “0000”. HKLM\SYSTEM\CurrentControlSet, in turn, is a link to HKLM\SYSTEM\ControlSet###, where ### is a number that increments starting at 000. The value located in HKLM\SYSTEM\Select\Current determines which control set is current and therefore which ControlSet is to be used to create this key via a link. June 3, 2015

HKEY_LOCAL_MACHINE Used to establish the per-computer settings. Settings found in this key apply to the machine and all of its users, covering all facets of the computer’s function. This key is a master key and is not, therefore, derived from any link as are the previous three keys. During system startup, the local machine settings are loaded before the user specific settings. June 3, 2015

HKEY_USERS Used to contain the user environment settings for the console user as well as other users who have logged onto the system. There will be at least three subkeys, which are “.DEFAULT,” “SID,” and “SID_Classes,” where the “SID” is that of the console user. You may also find SID’s “S ,” “S ,” and “S ,” which are for the “LocalSystem,” “LocalService,” and “NetworkService” accounts, respectively. Any other SID’s found here will below to other users who have logged on to the machine. This key is a master key and is not, therefore, derived from any link as are the first three keys (the ones that are unbolded). June 3, 2015

Derived vs Master Only HKEY_LOCAL_MACHINE (HKLM) & HKEY_USERS (HKU) are Master Keys The remaining root keys are derived from other keys At a physical level, each of the logical master keys has its source data in files called hives June 3, 2015

HKLM Subkeys June 3, 2015 Hardware is dynamic and exist only on a live machine!

HKLM Keys > Hive Files June 3, 2015 H IVE K EY H IVE F ILE HKLM\SAM%SYSTEMROOT%\System32\config\SAM HKLM\SECURITY%SYSTEMROOT%\System32\config\SECURITY HKLM\SOFTWARE%SYSTEMROOT%\System32\config\software HKLM\SYSTEM%SYSTEMROOT%\System32\config\system

The Evidence Vault June 3, 2015

HKU Keys > Hive Files June 3, 2015 H IVE K EY H IVE F ILE HKU\.DEFAULT%SYSTEMROOT%\System32\config\default HKU\S Documents and Settings\LocalService ntuser.dat HKU\S _ClassesDocuments and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat HKU\S Documents and Settings\NetworkService ntuser.dat HKU\S _ClassesDocuments and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat HKU\SIDDocuments and Settings\UserName\ntuser.dat HKU\SID_ClassesDocuments and Settings\UserName\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

HKLM\SYSTEM\CurrentControlSet\Control\hivelist June 3, 2015

Determining Current Control Set June 3, 2015

Registry Value Data Types June 3, 2015 D ATA T YPE N UMBER D ESCRIPTION REG_NONE0Data type is not defined REG_SZ1Fixed length text string expressed in user-friendly format, which is often used to describe components REG_EXPAND_SZ2Variable or expandable length data string REG_BINARY3Binary data that is displayed in editor as hex REG_DWORD432-bit double word values and the most common data type found in the registry REG_DWORD_LITTLE_ENDIAN432-bit double word values with bytes in reverse order. As Intel already store data in this format, this term is synonymous with REG_DWORD and they have the same numeric value REG_DWORD_BIG_ENDIAN532-bit double word value with bytes in normal order with the highest bit appearing first REG_LINK6An internal-use only data type for Unicode symbolic link REG_MULTI_SZ7Multiple string field in which each string is separated by a null (00h) and with two nulls (00 00) marking the end of the list of strings REG_RESOURCE_LIST8Listing of resource lists for devices or device drivers (REG_FULL_RESOURCE_DESCRIPTOR). You can view, but not edit these lists.

Search in Regedit June 3, 2015

Registry Analysis Tools Regmon (Microsoft) User Assist Analyzer ( om/) om/ Access Data’s Registry Viewer Access Data’s Imager EnCase (View File Structure) June 3, 2015

Viewing Registry with Forensic Tools Forensic Tools –Access Data – Registry Viewer –EnCase – View File Structure –ProDiscover –Others Off-line registry differs from live registry Mount / Open Hive Files Don’t expect to see derived or dynamic keys June 3, 2015 © Wiley Inc All Rights Reserved 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.